目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-638 未能使用完整仲裁 类漏洞列表 1

CWE-638 未能使用完整仲裁 类弱点 1 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-638属于访问控制缺陷,指系统在资源访问时未执行完整中介检查。当实体权限随时间变更,若系统仅缓存初始授权状态,攻击者可利用此漏洞绕过权限校验,访问本应被禁止的资源。开发者应确保每次访问资源时均进行实时权限验证,避免依赖缓存或一次性检查,从而防止因权限变更导致的安全隐患。

MITRE CWE 官方描述
CWE:CWE-638 未使用完全中介(Not Using Complete Mediation) 英文:产品在实体每次访问资源时,未对资源执行访问检查,如果该实体的权利或特权随时间发生变化,这可能导致衍生弱点。
常见影响 (1)
Integrity, Confidentiality, Availability, Access Control, OtherGain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Other
A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource.
缓解措施 (2)
Architecture and DesignInvalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.
Architecture and DesignIdentify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.
代码示例 (2)
When executable library files are used on web servers, which is common in PHP applications, the developer might perform an access check in any user-facing executable, and omit the access check from the library file itself. By directly requesting the library file (CWE-425), an attacker can bypass this access check.
When a developer begins to implement input validation for a web application, often the validation is performed in each area of the code that uses externally-controlled input. In complex applications with many inputs, the developer often misses a parameter here or a cookie there. One frequently-applied solution is to centralize all input validation, store these validated inputs in a separate data s…
CVE ID标题CVSS风险等级Published
CVE-2024-56512 Apache NiFi 安全漏洞 — Apache NiFi 6.5 -2024-12-28

CWE-638(未能使用完整仲裁) 是常见的弱点类别,本平台收录该类弱点关联的 1 条 CVE 漏洞。